Solved: Re: IPSEC and AnyConnect error

Luca Pecchiari · ‎09-19-2021

Hello Guys,

i moved from sslvpn to ip sec vpn.

I verified the connection with Cisco Vpn client, but i have a question.

It is possible to connect with any connect to IPSEC? when i try with AnyConnect app for i ios i get an error: the cryptografic algorithm requested by the gateway are not supported by the AnyConnect APP.

Please can you suggest me what i have to change?

thank you

!
aaa authentication login default local
aaa authentication login userlist local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network grouplist local

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group -group-
 key password
 domain internal
 pool VPN-POOL
 acl 182

!
crypto isakmp profile ip--group-
   match identity group -group-
   client authentication list userlist
   isakmp authorization list grouplist
   client configuration address respond
   virtual-template 2
!
crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac 
 mode tunnel
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set tr-aes-sha esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile ip--group-
 set transform-set tr-aes-sha
 set isakmp-profile ip--group-

interface Virtual-Template2 type tunnel
 ip unnumbered Dialer0
 tunnel source Dialer0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ip--group-

access-list 182 remark #  VPN Users  #
access-list 182 permit ip 192.168.1.0 0.0.0.255 host 192.168.69.10
access-list 182 permit ip 192.168.1.0 0.0.0.255 host 192.168.69.11
access-list 182 permit ip 192.168.1.0 0.0.0.255 host 192.168.69.12

Marvin Rhoads · ‎09-20-2021

Diffie-Hellman (DH) groups 2, 5, 14, and 24 are deprecated as of AnyConnect 4.9.

Source: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html#Cisco_Reference.dita_cf700242-15ba-4561-ba36-8eff569f93e9

You need an ISAKMP policy that includes one of the currently supported DH groups. Here's a list of them:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/feature/guide/anyconnect49features.html#pgfId-102311

(Groups 15-16 and 19-21 FYI)

View solution in original post

marce1000 · ‎09-19-2021

- Possibly obsolete ciphers being offered , you may find this thread informational :

https://community.cisco.com/t5/vpn/anyconnect-error-cryptographic-algorithms-required-by-the-secure/td-p/4141765

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Marvin Rhoads · ‎09-20-2021

Diffie-Hellman (DH) groups 2, 5, 14, and 24 are deprecated as of AnyConnect 4.9.

Source: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html#Cisco_Reference.dita_cf700242-15ba-4561-ba36-8eff569f93e9

You need an ISAKMP policy that includes one of the currently supported DH groups. Here's a list of them:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/feature/guide/anyconnect49features.html#pgfId-102311

(Groups 15-16 and 19-21 FYI)

Luca Pecchiari · ‎09-20-2021

SOLVED! thank you guys

basically i go for this conf taken from here https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html with some modification in bold.

For Anyconnect PC you need to make an Anycoonect profile, btw the link above explain this

aaa new-model
aaa authentication login a-eap-authen-local local
aaa authorization network a-eap-author-grp local

ip access-list standard split_tunnel
permit 192.168.1.0 0.0.0.255

crypto ikev2 authorization policy ikev2-auth-policy
pool VPN-POOL
dns 192.168.1.1
route set access-list split_tunnel

!
crypto ikev2 proposal Anyconnect-proposal
encryption aes-cbc-256
integrity sha512
group 21
!
crypto ikev2 policy Anyconnect-policy
proposal Anyconnect-proposal
!
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint TEST
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 2
anyconnect profile acvpn ! 
!

!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP
!

!

!
interface Virtual-Template2 type tunnel
 ip unnumbered Dialer0
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!

here i listed the usable values (the ones not deprecatet on Apple Anyconnect apps

C897VA-K9(config-ikev2-proposal)#group ?
15 DH 3072 MODP
16 DH 4096 MODP
19 DH 256 ECP
20 DH 384 ECP
21 DH 521 ECP

C897VA-K9(config-ikev2-proposal)#encryption ?

aes-cbc-128 AES-CBC-128
aes-cbc-192 AES-CBC-192
aes-cbc-256 AES-CBC-256
aes-gcm-128 Combined-mode,128 bit key,16 byte ICV(Authentication Tag)
aes-gcm-256 Combined-mode,256 bit key,16 byte ICV(Authentication Tag)

C897VA-K9(config-ikev2-proposal)#integrity ?

sha1 Secure Hash Standard
sha256 Secure Hash Standard 2 (256 bit)
sha384 Secure Hash Standard 2 (384 bit)
sha512 Secure Hash Standard 2 (512 bit)